I uninstalled spy ware doctor yesterday to install a new version and as soon as I did that, it seems that all hell broke loose. I got all these crashes and trojan's popping up as adware. I couldn't use my machine because everything I did online kept getting rediirected to some spam page. I was able to install the new spyware doctor again, but my monitoring was disabled.

I decided to go into safe mode and had malwaremalbytes installed and updated with the latest definitions. It found like 30 infections. Rebooted, back to safe mode, reran it again, found some more trojans, fixed them. Ran Spywaredoctor, kept finding more spyware, removed them, rebooted. Did the same thing in safe mode with running malewaremalbytes a few times and spydoctor a few timesi and with every run, it would find something different.

After all of this last night, these are what I observe.

svchost.exe has two memory 'read' errors at safe boot startup user login window, twice, causes two beeps. Happens every time and not detected as a problem through MalwareMalBytes or SpyDcotor

When I log back into the regular windows mode, I see these pop up all the time

dsca.exe application errormom.exe application error

it creates all these tmp files in the c:\windows\temp\ folder and c:\windows\system32 folders

My SpyDoctor program always picks up that there's an initial detection of network access that I have to block coming from " irc.zief.pl "

as soon as i open up a browser window, eventually my network icon on the taskbar continuously tries to stream something very VERY slowly, even though I'm not doing anything at one point and the webpage i'm visiting has already finished downloading, and my pages are getting redirected to some spam whenever i enter them in, i'm lucky to have gotten to this page to type this message.

Over the last ten minutes, SpyDoctor has picked up these things and I've had to manually block them

I installed it a website that wasn't from the company, but all there was was a spyware doctor trail version install file and a license key provided, that was it, did not look like any custom install file or anything.

The problem was that I had a similar trojan attack by zafi b worm a few months ago (that you helped me out with), installed Spyware DoctorŽ 6 for Windows over that, and although it fixed that problem, my pc hasn't felt 100% secure since.

I uninstalled it over the weekend to reinstall it with a new spydoctor 6.0 version I found and inbetween the uninstall of the old one and the install of the new one was when everything started to fall apart.

I just got a blue screen on the PC that's infected, so I'm typing on a different computer. The network connected on the infected kept on connecting and disconnecting over and over, among all other observances I originally noted in the first post.

I installed it a website that wasn't from the company, but all there was was a spyware doctor trail version install file and a license key provided, that was it, did not look like any custom install file or anything.

That's how you got infected then.

The "key" provided was probably just a bunch of lettings/numbers. The file you installed was probably named spywaredoctor6.exe, when really it installs malware.

my pc hasn't felt 100% secure since.

Malware does damage to machines all the time, sometimes we can clean it, sometimes we can't. If you feel unsafe, and have the resources to format your machine, then for you sake of security, I would advice you do so.

If you can use a USB stick to carry across DDS and run it, we'll see what it says.

I probably will have to best resolve this hopefully without a format. Too many years of files and documents to transfer. It would take days to back that up.

Maybe you're right about the spyware doctor install file. I just downlaoded the actual trail file from the pctools.com website and the filesize was 22.5MB, while comparing the file that I have on the infected computer (checked the properties while in safe mode) is 17.5MB.

OKay, I will run the DDS and get back to you shortly.

After I run DDS, should I try to see if I can uninstall the SpywareDoctor and rerun a MalwareMalBytes scan after that?

Damn, it's not recognizing my USB flash drive. Works and is detected on this computer that's not infected, but the affected one, it shows the green arrow in the taskbar, but no drive letter is loaded or assigned for me to access the usb drive that has the dds in it. I disabled the network connections on the infected machine when I did a normal boot login.

Is there a workaround to this or a way to enable the usb through the registry or something?

wow, so once the usb is disabled, then that's it? Oh my goodness. Isn't there a way to detect and enable the service that's preventing windows from mounting a letter drive?

I just uninstalled the spyware doctor and I'm running malwarebytes right now. I might enable the network connections on that infected machine so that I can get the dds on the infected machine, run it, and see if there's anything you can do.

Without the usb, this is terrible, that means all of my personal files is trapped on the laptop.

Disconnect the computer from the Internet and from any networked computers until it is cleaned.

Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.

Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.

From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

I need your help, don't tell me i have to reformat everything, There's no way I can get my files out of the hard drive? that's years of data, and this laptop unit that I'm using can only store on 650 cd's, that's not going to be possible to do.

please tell me there's some options or ways you can get rid of this.

Last edited by mike69 on 13th April 2009, 10:18 pm; edited 1 time in total

Combofix just installed the recovery console (had to open up the network connection again) and was about to scan for malware when it detected a few things in the windows/system32 folder, and a window popped up forcing to restart.

c:\documents and settings\Mike\Application Data\IUpd721c:\documents and settings\Mike\Application Data\IUpd721\Logs\scns.logc:\windows\Downloaded Program Files\ODCTOOLSc:\windows\Install.txtc:\windows\msvrc20.dllc:\windows\system32\_000008_.tmp.dllc:\windows\system32\_000009_.tmp.dllc:\windows\system32\_000010_.tmp.dllc:\windows\system32\Cachec:\windows\system32\drivers\ovfsthletnosvxswprwkmovpepxutlraxrmbft.sysc:\windows\system32\drtc:\windows\system32\fhpatch.dllc:\windows\system32\Install.txtc:\windows\system32\IPHACTION.dllc:\windows\system32\iphy.dllc:\windows\system32\IpSvchostF.dllc:\windows\system32\kernel32_check.dllc:\windows\system32\KUtDdJlm.inic:\windows\system32\KUtDdJlm.ini2c:\windows\system32\m3.dllc:\windows\system32\MX5c:\windows\system32\ovfsthdsnwgupmmhwpxgemgsxyitelpxyqbpot.dllc:\windows\system32\ovfsthilxetfqgnxbrbcauafqqmiyasmkymrqr.datc:\windows\system32\ovfsthiqjrgmeoyfuexxtdmbxaeqdksdljlklr.dllc:\windows\system32\ovfsthnioqmiaqahyotobvkilttitlttjlnkvw.datc:\windows\system32\ovfsthywvktrhfuhdofmiduvrrqhxlyijqbqxg.dllc:\windows\system32\riphy.dllc:\windows\system32\svmc:\windows\system32\u2c:\windows\system32\uzuyikud.inic:\windows\system32\zb

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^BUFFALO Power Save Utility for HD.lnk]path=c:\documents and settings\Mike\Start Menu\Programs\Startup\BUFFALO Power Save Utility for HD.lnkbackup=c:\windows\pss\BUFFALO Power Save Utility for HD.lnkStartup

for some reason, my flash drive was not able to boot into the infected computer to show up as a drive, but my external hard drive was able to boot up to a drive letter

i'm currently copying my documents, and others, it will take about half an hour

in the meantime, could you tell me based on analyzing these results from dds and combofix and others:

1) which files or folder sources SHOULD I NOT carry over to the external hard drive?

2a) what is the process of formatting the hard drive and reinstalling from scratch?

2b) Does the windows os cd have a built in format that behaves exactly the same way as booting in dos and doing a format?

2c) What format should it be formated under?

3) Could internet explorer or mozilla bookmarks carry over traces of the virus where I cannot back those up and should leave them discarded?

4) you mentioned that even after reformatting and reinstalling windows, anything I do, I have to change passwords on another computer. Why? If this is a brand new install, why should we have to worry about that?

1) Even if I didn't log into any of those banking or purchasing services during the time of this massive virus issue over the past couple of days, they still have access to the login information somehow?

Last edited by mike69 on 13th April 2009, 11:56 pm; edited 2 times in total

2) If I reformat and reinstall, how could they still trace the machine with the new install?

3) Assuming I get this far and install everything back to the default factory, what can we conclude from this incident? Is it the setup executable that may have caused this virus or if you use a license key, could the ID of that license key cause the tracing of all of these viruses? I'm confused which one it would be between these two.

4) Does the Windows XP Cd boot with the format option really do the deepest of the deep root level format of the hard drive? or does it simply overlap the previous install?

5) Also, when formatting to NTFS, does it matter if you do a quick format or a full?

6) you mentioned on the first page that I will need to change the ISP password. How do I do that? Also, if I do a format, would this even be necessary? The only reason why i ask is because I have several people in the household using this isp wirelessly and have it set up on MAC table, but changing the isp password will probably cause me to have to manually readd them by going to each device one by one. I just want to know if this is your suggestion even after reformatting.

3) What can we conclude? download software from the original source only, don't get it from some website that promises you a licence. The installer here was the problem.

4) I would do a full format, wipe the partition, then remake it. I say this because overlapping one OS with another may cause the new OS some problems because remnants of the old OS is there. (Upgrading from XP to Vista causes Internet Explorer errors)

5) ^ full format

6) The master router (the thing all your wireless networks use) should be fine (assuming it's got a custom password and not the default administrator password), it's just website passwords that are compromised

1) so the license key, does not allow any hackers to trace from you or anyone who uses that key?

in regards to question 6

1) so after formatting and installing, you would recommend changing the master router password? I would think that if I change the password on that, then all devices using that as an access point (those on the MAC table) wouldn't work and I"d have to manually readd them with the new password that's not cached into the system right? Is that how it works?

2) If the infected pc was a laptop that was connected wirelessly to a main router and that got infected (in my case), does that mean that the hacker could obtain information of other devices to hack that is connected to that same main router?

3) would you recommend using Spyware Doctor or using Norton for a combo Antivirus, Spyware, and Internet Security?

I think we have a misunderstanding. When I said master password, I wasn't talking about the WEP key. I was talking about the access to the router via it's IP adress (depending on your model, but it's usually 192.168.1.1)

I don't recommend Norton. It's too big and has been known to drag systems down. I would recommend Avira along with Kerio firewall. Both are free.

1)[You must be registered and logged in to see this link.] -Free anti-virus software for Windows. -Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

1) you're talking about the admin login for that? I wasn't sure how you change that? Is it by just reseting the router by pressing down the pin on the back for 10 seconds? Not sure. Need some help on that.

2) I tried to use kerio firewall once. It doesn't seem as user friendly for non-tech people who are new to installing those things. I installed it once and I couldn't figure out how to get my internet connection up since I didn't know how to tie that into the router. If the router (being by definition it has a built in firewall) and software firewall router link, doesn't that cause complications?

3) do you know if spyware doctor has a built in firewall? or is it simply for antivirus and spyware?

You're probably asleep at this time, so I'll check up with you later. Please respond to the previous questions in my last reply.

As an update. I am now typing on what was the originally infected laptop. I spent the last few hours reformatting and reinstalling windows from scratch. I got the official files of malwarebytes and spydoctor off of the original company websites and installed them before going online. So, the process that I did went:

1) format and install windows XP os2) install laptop drivers, (disabling the wireless)3) downloading malwarebytes and spyware doctor from another pc, copying it over, and installing it4) running quick and full tests5) installed ms office and other basic apps6) copied back up personal files (my documents, desktop files) over to the newly formated pc (when I did a select all before copying, it had over 40 hidden files, I made sure that I didn't select those and said no to it asking if I wanted to include that in the selection process)7) now online, having windows do an autoupdate since it was installed up to xp service pack 2

Curiously though, for some reason, I ran malware bytes a few times, it found nothing and that was the newest version with file updates. However, with the official spyware doctor program from pctools.com website, I did a intelliscan (quick) scan, and it found 5 infections of low profile. These results always, and I mean, always, seem to pop up as some result all the time from a test run from spyware doctor after first installing. I don't know if it's supposed to mean something. This is no corrupted file this time around and thank god it's not doing anything crazy on me right now, but it doesn't make sense to me. Why is a fresh install of xp and some installs having it pick up a few threats?

They aren't threats. The picture is small, but I can just about read it.

"TrackingCookies" aren't infections, everyone needs tracking cookies. If you use Internet Explorer/Firefox and clear the cookies, notice that you get logged out of everything, because cookies is where your login details is stored on your machine.

Adware.Advertising is the same thing, but fix them if you want to. [Although you wil get logged out of stuff. ]

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

I was wondering. I just got a clean copy of spyware spydoctor and I was thinking that since doesn't have a firewall and intrusion detection, I wanted to install instead mcafee total protection 2009, which has all of that. I have a copy of that as well.

What's your opinion? I know you mentioned that you can't have 2 apps because they will conflict? How should I proceed with the steps to uninstall and install? or can i keep them both?

o oh, new spyware doctor has been finding some things on the machine, even after reformating and reinstalling. Take a look at this. It seems every time it finishes scanning, something happens.

The only thing I remember doing is that I accidently mispelled hotmail.com for something like 'homtial.com' or something like that, and it poped up a site that was blocked by spydoctor, and since this, all these strange things have been happening

well, it is the history of a recent scan. From the time stamp and my time zone, that scan was about an hour ago after I accidently mistyped going to msn hotmail website.'

1) Do you think it's anything to worry about?

Also,

2) Another question. I currently have spyware doctor installed. Will installing mcafee over this cause complications or should I uninstall spyware doctor first and then install mcafee ...OR should I just install mcafee and then deal with spyware doctor uninstall later?

So the ordering of what to install or uninstall first would not be a problem?

Will installing mcafee over this cause complications or should I uninstall spyware doctor first and then install mcafee ...OR should I just install mcafee and then deal with spyware doctor uninstall later?

Whoa, Mcafee just found this. I don't know why spyware doctor never did. I didn't even run this app in this new installed laptop after reformatting, but somehow, this was caught. This program is a program just to schedule automated downloads from sites like rapidshare, megaupload, and other sides,

Anything you think I should be worried about?[img][You must be registered and logged in to see this link.][/img]